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Abstract. In this paper we show that states, transitions and behavior 
of concurrent systems can often be modeled as sheaves over a suitable 
topological space. In this context, geometric logic can be used to describe 
which local properties, of individual systems, are preserved, at a global 
level, when interconnecting the systems. The main area of application 
is to modular verification of complex systems. We illustrate the ideas 
by means of an example involving a family of interacting controllers for 
trains on a rail track. 



1 Introduction 

Complex systems, consisting of several components that interact, arise in a nat- 
ural way in a wide range of applications. The components may be complex 
themselves (they may e.g. contain a database; may have their specific internal 
logic and an appropriate inference mechanism; a planning mechanism, etc.), or 
may be simple - but even then their composition can complicated because of the 
necessity to take into account the interaction between the single components. 
One of the main problems that arise in the verification of such complex systems 
is the state explosion problem: the state space can grow exponentially with the 
number of components. Symbolic representations of states and symbolic model 
checking have greatly increased the size of the systems that can be verified. 
However, many realistic systems are still too large to be handled. It is therefore 
important to find techniques that can be used to further extend the size of the 
systems that can be verified. One possibility is to check properties in a modular 
way (i.e. verify them for the individual components, infer that they also hold in 
the system obtained by the interconnection of the individual components, and 
then use them to deduce additional properties of the system). Not all properties 
are preserved by interconnection: for instance deadlocks might occur when in- 
terconnecting deadlock free systems. The main goal of this paper is to offer an 
answer to an important question in verification: 

Which properties of complex systems can be checked in a modular way? 

To answer such questions, in this paper we use an analogy with phenomena in 
topology and algebraic geometry, where sheaves are used to describe locally de- 
fined objects which can be patched together into a global object. Thus, sheaf 
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theory allows to establish links between "local" and "global" properties. We 
show that, given a family of interacting systems, states, actions, transitions, be- 
havior in time can often be modeled by sheaves over a suitable topological space 
(where the topology expresses how the interacting systems share the informa- 
tion). Many properties of systems can be expressed as assertions about states, 
actions, transitions, behavior in time. The sheaf semantics allows us to prove, by 
using results from geometric logic, that those properties of systems that can be 
expressed by cartesian axioms are preserved after interconnecting the systems. 

The starting point of our research is the work of Goguen [6J, who uses sheaves 
to model behavior in an 'interval of observation', and Monteiro and Pereira |13j , 
where behavior is modeled by sheaves of monoids. The idea of modeling states, 
actions and transitions by sheaves with respect to a topological space, and of 
using geometric logic for studying the link between properties of the components 
and properties of the systems that arises from their interconnection occurs, to 
the best of our knowledge, for the first time in our previous work |16|17|18] , We 
present an overview of our results in [17118) together with new results which 
illustrate how sheaf theory can be used for the modular verification of complex 
systems. We illustrate all the notions introduced by means of a running example 
involving a family of interacting controllers controlling a subsets of consecutive 
trains on a linear, loop-free, rail track. The main contributions of the paper are 
summarized below: 

— We start with a presentation of our previous results described in |16|17|18] , 
where we showed that states, parallel actions, transitions and behavior in 
time can be modeled by sheaves. Concerning these topics, the main contri- 
bution of this paper consists in illustrating the various notions we use (defini- 
tion of systems, states, parallel actions, transitions, conditions on transition 
relations, categorical constructions, covers, gluing and sheaf properties) by 
means of a running example. 

— In addition to the model of behavior we considered in [16117118] . we also 
analyze a description of behavior by traces of execution (modeled by free 
monoids and partially commutative monoids). We analyze gluing and sheaf 
properties also in this context. We pay special attention also in this case 
to identifying situations when the stalks of the sheaves are isomorphic to 
the behavior of the individual systems, whereas the global sections are iso- 
morphic to the behavior of the colimit of these systems. For this, we use 
results on sheaf representation in universal algebra. We establish links with 
existing results in the study of Petri nets and Mazurkiewicz traces [3] and 
on modeling behavior by sheaves of monoids 13J. 

— We use geometric logic for describing properties which can be checked mod- 
ularly. We illustrate the ideas on the running example, and describe a simple 
complex system for trains for which safety and lifeness can be checked in a 
modular way. 

Structure of the paper. The paper is structured as follows. In Section 2 we present 
a model for systems (including also their states, parallel actions and transitions). 
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Section 3 contains the definition of a category of systems and the description 
of pullbacks and colimits in this category. In Section 4 we give a model for 
complex, interacting systems, and motivate the use of sheaf theory. Sections 5— 
8 describe our sheaf-theoretic semantics for states, parallel actions, transitions 
and behavior. In Section 9 geometric logic is used to test preservation of 'local' 
properties under connection of systems. Several examples are given in Section 10. 

2 Systems 

Our aim is to model interconnected systems. We assume systems are described 
by: 

— a set X of control variables of the system, a set r of constraints on X 
expressed in a language C, 

— a set A of atomic actions, and a set C of constraints on A. 

Let S = (Sort, O, P) be a signature, consisting of a set Sort of sorts, a set O of 
operation symbols and a set P of predicate symbols. For a (many-sorted) set of 
variables X — {X s } se sort let Fmai;(X) be the set of formulae over S. 
A E-structure is a structure M = ((M s ) s6 sort, {/m}/<eO, {Rm}rgp) where if 
/ G O has arity Si . . . s n — * s then /m ■ M Sl x . . . x M Sn — > M s and if R G P 
has arity s\ . . .s n then Rm Q M Sl x . . . x M Sn . The class of all ^-structures 
is denoted Strj;. If M € Str^, s : X — ► M is a sort-preserving assignment, and 
<fi G Fmax:(X), (M, s) \= <f> (abbreviated by s |= <fi) is defined in the usual way 

(cf. m, ch. i). 

Definition 1. A system S is a tuple (£,X,r,M,A,C), where 

(i) S — (Sort, 0,P) and X — {X s } se $ort ore as specified above; together they 

define the language Cs of the system S; 
(ii) r C Fma^(X) is a set of constraints, which is closed with respect to the 

semantical consequence relatio$\ \=ai; 
(Hi) M G Str^; 

(iv) A is a set of actions; for every a G A, a set X a C X of variables on which 
a depends, and a transition relation Tr a C St a x St a , where St a = {s\x° 

s : X — * M, s \= r} are specified; 

(v) C is a set of constraints on actions, expressed by boolean equations over 
Fb(A) (the free boolean algebra generated by A) stating e.g. which actions 
can (or have to) be executed in parallel, and which cannot; C must contain 
all boolean equations that can be deduced from C . 

In what follows, we may refer to any of the components of a system S by adding 
S as a subscript, e.g. Es for its signature. Xg will denote the minimal set of 
variables on which a G As depends, and Tr s the transition relation associated 
with a. 

1 The relation |= m is defined by r \=m (f> if and only if for every assignment s : X — > M 
of values in M to the variables in X, if s \= 7 for every 7 G F, then s |= (f>. 
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For the sake of simplicity, in the examples below we will only mention explicitly 
the axioms in r and C and not all their consequences. 

Example 1. We consider a system consisting of n consecutive trains on a linear 
track controlled by a radio controller (cf. also [Sj). The trains report their position 
to the controller at fixed time intervals At. The controller analyzes the distances 
between successive trains (we assume that certain security distance treshholds 
Iq < h < ■ ■ ■ < l m < . . . and corresponding maximal speed limits maxSpeed(l) < 
• • • < maxSpeed (to) < . . . , deemed to be safe for the trains, are known) and 
updates the movement modes of trains accordingly. A train with movement 
mode k can move in the next time interval At with an arbitrary speed between 
a minimal speed and the maximal speed limit of mode fc, maxSpeed(fc). 
The system is modeled as follows: 

(i) Language: S — (Sort, O, P), where Sort = {real, nat}; 

— O = {+, — , minSpeed, maxSpeed, succ}, where: 

• +, — are function of arity real, real— >real, 

• minSpeed is a constant of sort real, 

• maxSpeed a function of arity nat — ► real, and 

• succ of arity nat — > nat. 

— P = { < } , where < has arity rea I , rea I . 

— X — lJ" =1 {TrainlndeXi, ActualPoSj, RepPos i5 Mode^}, where TrainlndeXj 
controls the number of train i on the line track, and ActualPos^, RepPos^ 
and Mode; control the actual, resp. reported position and the movement 
mode of train i respectively. 

(ii) Constraints: r = {succ(TrainlndeXi) = Trainlndex.i + i | i G {1, . . . , n — 1}}. 

(hi) Model M =(M nat , Af rea i, +, — , minSpeed, maxSpeed, succ, <), where: 

— The universes are: 

• M nat = N; M real = M; 

— The operations are defined as follows: 

• +, — are addition and subtraction on R, 

• succ : N — > N is the successor function, 

• minSpeed G K, 

• maxSpeed : N — > M associates with a mode k S N the maximal 
allowed speed in mode fc; 

— The predicates are defined as follows: 

• < is the order relation on K. 

(iv) Actions: A = {report^ | i £ {1, . . . , n}} U {update} U {move, | i £ {1, . . . , n}}. 

— report^ depends on the variables X r% = {ActualPos^, RepPos.^, Mode,}. 
If s, s' : X -> M then (s^ , s\ XTt ) £ Tr r - iff the following hold: 

• s(Mode. t ) = 

• s^RepPosJ = s(ActualPoSj) 

• s'^ActualPos^ = s(ActualPoSj). 

— update depends on X u = Uie{i „}{ActualPoSj, RepPos^, Modei}. 

If s, s' : X -> M then (s| X u,sC[) £ Tr r * iff for all i £ {1, . . . , n} the 
following hold: 
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• s(Mode 4 ) = 0, 

• s'(ActualPoSi) = s(ActualPos.i), 

• s^RepPosJ = s(ActualPoSi), and 

• s'(Modei) is updated according to the following rules: s'(Modei) > 
and for all i > 2: 

if Ik < s(RepPos i _ 1 ) - s(RepPos i ) < h+i then s'(Modei) = k + 1. 
— movei depends on X nii = {ActualPos^, Mode^}. 

It is enabled at a state s iff s(Modei) > for alH £ {1, . . . , n}; it changes 
ActualPoSi according to the value of Mode; as follows, for i G {1, . . . , n}: 
s'(ActualPoSi)e[PosMin, PosMax], where: 

• PosMin = RepPos^ZfeminSpeed, 

• PosMax = RepPos i +Z\t*maxSpeed(s(Modei)); 

and it updates the value of Mode^ to 0: s'(Modei) = for i 6 {1, . . . , n}. 

(v) Constraints on actions: C = {report^ = report 2 = • • • = report n = update} U 
{report^ A move, = | i € {1, . . . , n}} U {movei = • • • = move„}. 

2.1 States, parallel actions 

It is important to describe the states of a system and the actions which can be 
performed in parallel (which we here name admissible parallel actions). 

Definition 2. Let S = (£, X, P, M, A, C) be a system. 

— A state of S is an assignment s : X — > M satisfying all formulae in Z 1 . The 
set of states of the system S is St(S) = {s : X — > M \ s \= r}. 

— The admissible parallel actions of S are sets of actions, represented by maps 
f : A — > {0, 1} that satisfy all constraints in C . The set of admissible parallel 
actions of S is the set Pa(S) ~ {/ : A — > {0, 1} | / satisfies C}. 

Below we restrict our attention to finite systems, i.e. systems whose signatures, 
sets of control variables and sets of actions are finite; this suffices for practical 
applications and avoids having to consider infinitely many actions occurring in 
parallel. 

Example 2. Consider the system S in Example [1] with n > 2. A state is a map 
s : X —> M which satisfies T. For instance, any map s : X — > M such that: 

— s(Trainlndexi) = 1, s(Trainlndex2) = 2, . . . , s(Trainlndex„) — n ot 

— s(Trainlndexi) = 100, s(Trainlndex2) = 101, . . ., s(Trainlndex„) = 100+(n— 1). 

is a state of S. If s(Trainlndexi) = 1 and s(Trainlndex2) = 3, s cannot be a state. 
An admissible parallel action is a map / : A — > {0, 1} which satisfies the con- 
straints in C. Examples of admissible parallel actions are 

1. /(report 1 ) = /(report 2 ) = . . . = /(report„) = /(update) = 1, and otherwise, 

2. /(movei) = • • • = /(move„) = 1 and otherwise. 

Any map / with /(movei) = /(report^) = 1, or with /(report^) = but 
/(update) = 1, is not an admissible parallel action, since it does not satisfy 
the constraints in C. 
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2.2 Transitions 

Let S = (S,X,r,M,A,C) be a system. Let Tr s (a) = {(si,s 2 ) | si,s 2 G 
\x a i s 2\x a ) S Tr a ,si(ir) — s 2 (x) if a; G" We extend the notion 

of transition to parallel actions. For this we present two (non- equivalent) prop- 
erties of transitions that express compatibility of the actions in an admissible 
parallel action: 

(Disj) Let / G Pa(S), s G St(S) such that for every a G / _1 (1) there is an s a G 
St(S) with (s [X a,s^ xa ) G Tr a . Then for all a, b G / _1 (1) and iel a nl fc , 
s a (a;) = s (2:) (the new local states agree on intersections). Then, 

Tr s (f) = {(s,t) | s,t G 5t(5), (s| X °,i|x<0 G for every a such that 
/(a) = 1 and s{x) = t(z) if * £ Ua,/(,)=i *°}- 

The property (Disj) applies when a parallel action / : A — > {0, 1} is admissible 
iff its components do not consume common resources. This happens e.g. if for 
all a\,a<2 G A with /(ai) = /(a 2 ) = 1, either ai = a 2 G C or X ai and A a2 
are disjoint. In concurrency theory, this property is called "real parallelism" or 
"independence" . 

Example 3. Consider the example in Section[TJ Let f : A —> {0, 1} be an admis- 
sible parallel action. We have two possibilities: 

(i) /(report^) = • • • = /(report„) = /(update) = 1 and otherwise. 

The transition relation of this parallel action updates the value of each vari- 
able RepPos^ according to the transition relation of report;, resp. update. The 
changes are not contradictory, since the effect of update agrees with the effect 
of report J, . . . , report n on the variables in X u n X Ti . Thus, (Disj) holds. 

(ii) /(report^ = • • • = /(reportj = /(update) = and /(movei) = • • • = 
/(move„) = 1 and / is otherwise. As the actions movej,j = l,...,n 
depend on disjoint sets of variables, (Disj) is satisfied also in this case. 
The transition relation of this parallel action updates the value of each vari- 
able ActualPoSi. Since the sets of variables these actions depend upon, namely 
X mi , are mutually disjoint, these changes cannot be contradictory. 

(Indep) Assume that if a = b G C then X a = X b and Tr a = Tr b , and a and b 
can both be identified with one action: the parallel execution of a, 6. 
Let / G Pa(S),s G St(S). We identify all a, b G A with a = beC 
and /(a) = f(b) — 1. Let {b\, . . . , b m } C / _1 (1). We assume that: 

(i) g : A — > {0, 1}, defined by g(a) = 1 iff a G {6i, . . . , b m }, is in Pa(S); 

(ii) if s Si — 2-» s 2 — ► . . . — > s m _i — ^ i then for every permutation 
a of {1, . . . , to}, there exist states if, if , . . . , i„-i such that we have 

*Ml) , CT 6 "(2) ,<T _ , CT Mm) . 

s > > i 2 ► . . • > t m _i ► r 

In this case we define a the transition associated with a parallel action / by: 
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Tr s {f) = {(s,t) | s,t£ St(S), and 3s ,si, . . . , s„_i,s„ G 

such that so — s and s n = t, and for all i with 
1 < i < n, Si-i,Si) € Tr s (ai)}. 

It is easy to see that if (s, t) G Trs(f) then s(x) = t(a;) for every a; ^ |J a f( a )=i X a ■ 

The property (Indep) reflects how transitions are interpreted when actions to 
be performed in parallel do consume common resources. It applies if the state 
reached after executing an action is uniquely determined: the fact that all com- 
ponents of a parallel action / : A — > {0,1} can be applied at a state s is a 
necessary condition for / to be applicable at state s, but in general not sufficient 
(in addition, one has to ensure that there are enough resources to perform all 
actions). Condition (Indep) (i) holds e.g. if C is the set of all consequences of a 
set Co consisting only of formulae of the form a\ = ci2 and a\ A 02 = 0. Condition 
(Indep) (ii) states that the final state does not depend on the order in which the 
actions are executed (it is related to the notions of interleaving and permutable 
actions used in concurrency). 

Example 4- We consider a variant of Example [TJ in which we assume that there 
is no control unit, but all trains have access to all information about the po- 
sitions of all trains. The trains report all together and move all together. The 
actions are A = { report^ , . . . , report ra } U {movei, . . . , move„}, with constraints 
C = {report^ = • • • = report n } U {movei = • • • = move n } U {report^ A movei = 
* 6 {l,...,n}}. 

Let / : A — > {0,1} be an admissible parallel action. Then is either 

or {report^, . . . , report n } or {movei, . . . , move„}. As in all cases the actions in 
depend on disjoint sets of variables, the final state does not depend on 
the order in which the actions would be performed sequentially. 

3 A category of systems 

Essential to our model for communication is that systems have common sub- 
systems through which information exchange is made. Let S, T be two systems. 
We say that S is a subsystem of T (denoted S > — > T) if Us C S T , X$ C Xt, 
As C At, the constraints in I5 (resp. Cs) are consequences of the constraints 
in (resp. Ct), and Ms = Mt\s s (the reduct of Mt to the signature Ss). 
Let S > — ► T. If we regard a transition in T from the perspective of 5, some 
variables in S may change their values with no apparent cause, namely if some 
action in At but not in As is performed, which depends on variables in X$- 
If this cannot be the case, we call the subsystem S > — ► T transition- connected. 
Formally: 

Definition 3. S is a transition-connected (t.c.) subsystem of T (denoted S ^ 
T) if S > — ► T and the following two conditions hold: 



(Ti) If a e A T and X T nX s =f® then a G A s , and X% = X T n X s . 



8 



(T 2 ) If a G A s , s 1 ,s 2 G Si(T), and (si|x», S2|x«) G TYf, f/ien (s X | X g, s 2 |x|) G 
Trg. 

It is easy to see that the relation > is a partial order on systems. 

Example 5. Consider the system 5* = (£, X, T, M, A, C) in Example Q] Let k 
and I be such that 1 < k < I < n and let I = {fc, . . . , I}. Consider the restriction 
S l k = (E,X l ki r l k ,M,A k ,C k ) of 5* to the consecutive trains controlled by the 
variables in {TrainlndeXi | i G /}. 

— X l k — lJ ig/ {TrainlndeXi, ActualPoSi, RepPos i5 Mode^}, 

— rl = {succ(TrainlndeXi) = Trainlndex; + i | i G {k, . . . , I — 1}}, 

— A\ = {report^ | i G 1} U {update} U {movei | i G /}, and 

— C k is the restriction of C to the actions in A l k : 

Cj, = {report^ = update | i G 1} U {report^ A move.; = | i G 7}U 
{movefe = • • • = move;}. 

Condition (Ti) obviously holds: if an action of S depends on variables known in 
S l k , then the action is known in Si. Condition (T 2 ) obviously holds for {report, 
i G /} U {movei | i G /} and, for update, for all trains which follow a train known 
in S l k . For the first train (T 2 ) is a consequence of the fact that the mode update 
restrictions in S are stronger than those in S l k (any mode allowed in S is still 
allowed in S l k ). 

We define a category TcSys having as objects systems, and a morphism S 
T between 5* and T whenever 5* is a t.c. subsystem of T. TcSys has pullbacks 
(infimums with respect to this order of t.c. subsystems of a given system; we 
will denote this operation by A) and colimits of diagrams of t.c. subsystems of a 
given system. 

Proposition 1. The category TcSys has pullbacks. 

Proof: Let S x ^> S and S 2 ^ S, where S = (£, X, T, M, A, C), Si = (S t ,X u R, 
Mi,Ai,Ci). Then M t = M\ Si , and for every a G A t , X? = X§ n X, (i = 1, 2) 
Hence, for every a G A 1 n A 2 , X? nl 2 = X% n X x = n X x n X 2 . 

Let S 12 = (Z , i ni:2,XinX2,r 1 nr2,Ms| i:ini;2 ,Ain J 42,CinC2), and such that 
for every a G Ai04 2 , Xf 2 = X?nX 2 = XgnXt = X*nX 1 nX 2 , and 2Y? 2 = 
{(si\ x?2 ,s 2 \ x?2 ) I si,s 2 G 5t(5i),(si| X a,s 2 | X a) G Tr a Si } I) {(s llX a 2 ,s 2[x?2 ) 
si,s 2 G St(S 2 ), (si\x%, s 2|xj) G TYg 2 }. It is easy to see that Si 2 is a transition- 
connected subsystem of both S± and 5 2 , and has the universality property of a 
pullback. □ 

Proposition 2. Let S = (17, X, M, T, A, C) be a system and {Si <-> 5 | i G 7} 

a family of transition- connected subsystems of S, where for every i G I, Si — 
(Si, Xi, Mi, Ti, Ai,Ci). The colimit of this family in SYS\\ is the system S with: 

~ -% = Uiez -^i) 
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~ Mg = M {UieiSi , 

— Fg = (U ieI Ti)' (the family of all logical consequences o/Uie/^A 
~ As = U ie / ^ii 

— C-g = (Uie/Cj)* (the family of all logical consequences of[J i€l Ci), 

and where for every a G \J ieI Ai X| = \J aeAz X i> and Tr s~ = i( s i\x& s 2|xg.) I 
si, s 2 G St(S), and for every i G J wii/i a G Aj, (si|x? , S2|x?) € ^i?,}- 

Proof: (Sketch) One needs to show that for every i G /, Si is a transition- 
connected subsystem of S, and that 5 satisfies the universality property of a 
colimit. The proof is long, but straightforward. □ 

Example 6. Consider the system S in Example [1] and two restrictions S\ = 
SI? and S 2 = 5j constructed as in Example \5\ The pullback of Si and S 2 is 
S12 = S l k (defined as in Example [5] if k < I, or the system with the empty 
set of control variables and actions if Z < k). The colimit S of the diagram 
{Si, S2, S12} (with transition-connected morphisms S l k S k ,S l k ^> S[ has the 
following components: 

— Bg = S; M S - = M; 

— X-g = U^rj n u r fc n i{TrainlndeXj, ActualPoSi, RepPos^, Modej}, 

— Pg — {succ(TrainlndeXi) = Trainlndexi+i | i G {1, . . . , I— I}U{fc, . . . , n—1}}', 

— Ag = U ie {i,...,i}u{fe,...,n}{ re P ort 4 - move,} U {update}; 

— C-g — ({reporti = update | i G {1, . . . , 1} U {k, . . . , n}}U 

{report^ A move; = | i G {1, . . . , 1} U {k, . . . , n}}U 
{movei = • •• = move/} U {move/j = ■ • • = move„})V 

If k < I then S coincides with S. If I < k — 1 then / X, so 5 is obviously 
different from S. Assume now that I = k—1. Then X-g — X, A-g — A, C-g — C, but 
Fg y£ r (the constraint succ(TrainlndeXfc_i) = Trainlndex^ cannot be recovered 
from r\ U r k ), hence S is different from S also in this case. 



4 Modeling families of interacting systems 

When analyzing concrete complex systems, we tend to be interested in a subcat- 
egory of TcSys, containing only the systems relevant for a given application. To 
this end, we assume a family InSys of interacting systems is specified, fulfilling: 

1. All S G InSys are transition-connected subsystems of a system S with A-g 
finite. 

2. InSys is closed under all pullbacks Si A S 2 of t.c. subsystems Si, S 2 of S. 

3. (InSys, A) is a meet-semilattice. 

The first condition enforces the compatibility of models on common sorts and 
the finiteness of As for every S G InSys; the second and third condition ensure 
that all systems by which communication is handled are taken into account. A 
system obtained by interconnecting some elements of InSys can either be seen as 
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the set of all elements of InSys by whose interaction it arises (a subset of InSys 
which is downwards-closed with respect to >) or as the colimit of such a family 
of elements. We dehne J?(lnSys) as consisting of all families of elements of InSys 
which are closed under transition connected subsystems. Clearly, i?(lnSys) is a 
topology on InSys. 

Note: It is easy to see that J?(lnSys) is the Alexandroff topology associated with 
the dual of the poset (InSys, <^->). Since we assumed that InSys is finite and closed 
under pullbacks, this topology coincides with the Scott topology associated with 
the dual of (InSys, 

Example 7. Consider now the extension of the example in Section [T] considered 
in Example [6] Let k < I 6 {1, . . . , n}, let I\ — {k, . . . , n}, I 2 = {1, . . . , I}, In = 
{k, . . . , I}, and let InSys = {Si, S2, 612} be the family consisting of the subsys- 
tems of S = (£, X, r, M, A, C) described in Section Q] corresponding to the sets 
of trains with indices in Ii, I2 and I12 respectively: Si = S%, S2 = S[, S12 = S l k . 
Then InSys satisfies conditions (i), (ii) and (iii) above. The system obtained by 
interconnecting Si, S2, S13 can be regarded either as the set {Si, S2, S12} or as 
the colimit of the diagram defined by these systems, which coincides with the 
system S defined in Section Q] In this case, j?(lnSys) consists of the following 
sets {0, {S 12 }, {Si, S12}, {S 2 , S12}, {Si,S 2 , S12}}. 

Our goal is to express the links between components of a system and the result 
of their interconnection. We start from the observation that compatible local 
states can be 'glued' into a global state (similar for parallel actions, transitions). 
For expressing such gluing condition in a general setting, we use sheaf theory. 

4.1 Sheaf theory: An introduction 

In what follows, notions from category theory are assumed to be known. For 
definitions and details we refer to [S] or [T^]. (In what follows categories and 
sheaves will be denoted in sans-serif style, e.g. Set, Sh(/).) 

Let / be a topological space, and fl{I) the topology on /. 

Definition 4. A presheaf on I is a functor P : Q(I) op — > Sets. Let U C V be 

open sets in I , and iy : U > V the inclusion morphism in £2(1). The restriction 
to U, P(i%) : P(V) -v P(U) is denoted by p%. 

A sheaf on I is a presheaf F : fl(I) op Sets that satisfies the following condi- 
tion: 

for each open cover (Ui)i^i of U and family of elements Si^F(Ui) 
s.t. for alli,j, Pij iri ij j {si)—p u : '. nU .(sj), there is a unique s^F(U) with 
Pu ( s ) =s i f or a M 

The morphisms of (pre)sheaves are natural transformations. We denote by PreSh(/) 
the category of presheaves over I and by Sh(/) the category of sheaves over I. 



11 



Definition 5. The stalk of a sheaf F on I at a point i £ I is the colimit Fi = 
^E^ ieU F(U) 7 where U ranges over all open neighborhoods of i. The assignment 
F i— > Fi defines the stalk functor at i, Stalky : Sh(7) — > Set. 

Sheaves can be denned also in a different way. An indexed system of sets (i^)j e / 
can alternatively be regarded as a map f : F = Yliei ~ * It with the property 
that for every x G F, f(x) = i if and only if x G Fj. If the index set I has 
a topology, then the set F can be endowed with a topology such that / is 
continuous (i.e. the sets in the family (i^)^/ are continuously indexed). 

Definition 6. A bundle over I is a triple {F 1 /, /) where F and I are topological 
spaces and f : F — > / is continuous. For every i G I , f~ l {i) will be denoted by Fi. 
Then F — Yl ieI Fi. Let (F, /, J) and (G, g, I) be two bundles over I . A morphism 
between (F, f, I) and (G, g, I) is a continuous map h : F — > G such that goh = f . 
The category of bundles over I is denoted Sp/F 

Let LH/I be the full subcategory of Sp/I with objects (F, /, J), where / : F — > I 
a local homeomorphism (i.e. for every a G F there are open neighborhoods U 
and V of a respectively /(a) such that / : U — > V is a homeomorphism). 

Definition 7. Let (F, f, I) be a bundle over L . A partial section defined on a 
open subset U C I is a continuous map s : U —> F with the property that f o s is 
the inclusion U C I . A section defined on L is called global section. The set of 
all partial sections over the open subset U of L will be denoted by r(F, f)(U). 

The following links between (pre)sheaves and bundles exist: 

— For every bundle (F, f, I) let r(F) — {s : I —> F | s continuous and f o s = 
id]}, the set of all global sections of F. This defines a functor 

r : Sp/I -> PreSh(J). 

— Let F be a presheaf on /. For every i G I let Fi be the stalk of F at a point 
i € I, The collection of stalks (Fi)i E j is an /-indexed family of sets. Let 
D(F) denote the disjoint union of the stalks, and let 7r : D(F) — > / be the 
canonical projection on / defined by tt(x) = i iff x G Fi. For s G F(U) and 
i G U, let Si be the image of s in Fi. The map s : U — > D(F), s(i) = s, 
defines a partial section of 7r : D(F) — > /; we impose on D(F) the coarsest 
topology for which all such sections are continuous. D(F) — (D(F), ir, I) is 
a bundle. This construction defines a functor 

£> : PreSh(J) -> Sp/I. 

Theorem 1 (cf. [9,12]). TTie functor D : PreSh(I) — > Sp/I preserves finite 
limits and is left adjoint to r : Sp/I — > PreSh(J). T/ie functors D,T restrict to 
an equivalence of categories between Sh(i) and LH/I. 

r o D : PreSh(X) — » Sh(X) is known as the sheafification functor. 

Theorem 2 (cf. [9,12]). The inclusion Sh(X)— >PreSh(X) has a left adjoint, 
ToD : PreSh(X)^Sh(X). The sheafification functor ToD preserves all finite 
limits. 
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5 States, partial actions 

Let InSys be a family of systems satisfying conditions (i), (ii), (iii) in Section 21 
and J7(lnSys) be the topology on InSys consisting of all subsets InSys which are 
closed under t.c. subsystems. We define functors modeling states and parallel 
actions: 

(St) St : J?(lnSys) op -> Set is defined as follows: 

Objects: St(U) = {(si)sieu I s i £ St(Si), and if Si Sj then Sj = Sj, x ,}; 
Morphisms: if Uitu 2 , St(i):St([/ 2 )->St([/i) is St(t)((s i )s i ea 2 )=(si)s i e!7 1 - 

(Pa) Pa : l?(lnSys)°P -> Set is defined as follows: 

Objects: Pa([/) = {(fi) Si eu I /< e Po(Si), and if $ 5, then /< = 
Morphisms: if l^CI7 a , Pa( l ):Pa(C/ 2 )^Pa(C/ 1 ) is Pa(0((/ i )s ie£ / 2 )=(/i)s (e£ / 1 . 

Example 8. Consider the family InSys = {Si, S12, S2} in Example^ 

States. Any tuple (si, S2, S12), where s, G St(Si) for i G {1,2,12} and Sx\x l2 = 

S2\x 12 = s i2: is an element in St(lnSys). Assume first that k <l. 

— Let Si : — + M be such that s(Trainlndex;) = i for all i G {1, . . . , /}, and 
such that Si| Xl2 = s 2 |x 12 = $12- Then (si,s 2 ,s 12 ) G St(lnSys). 

— Let si : Xg 1 — * M be defined by s(Trainlndex i ) = i for all i € {1, . . . , Z}, and 
S2 : Ag 2 — » M be defined by s(Trainlndexj) = i + 1 for all i G {fc, . . . , n}. 
si G St(Si), s 2 G St(S2), but they do not agree on the common control 
variables (in particular, si(TrainlndeXfc) = k, S2(TrainlndeXfc) = k + 1). So 
(si,s 2 ,si|x Sl2 ) ^St(lnSys). 

Assume now that I < fc. Then S12 is the system with an empty set of control vari- 
ables. Hence, si : Xg 1 — > M defined by s(TrainlndeXj) = i for all i G {1, . . . , Z}, 
and s 2 : -X"g 2 — » M, defined by s(Trainlndex,) = i + 1 for alH G {k, . . . , n}, agree 
on the common variables. Therefore (si, S2, s i|x Sl2 ) S St(lnSys). 

Let U = {Si, S12, S2} and U\ = {51,512} be the two sets in /2(lnSys) which 
contain Si, and let i be the inclusion between U\ and U. Then St(i) : St(£7) — > 
St(Z7i) is defined by St(i)(si, S2, S12) = (si, S2, S12) = (si,sia). 

Parallel Actions. Any tuple (/1, /2, /12), where /j G Pa(Si) for i G {1, 2, 12} and 
/ 1 |Ai2 = /2IA12 = ^ 12 ' ^ s an e l emen t m Pa(lnSys). In particular: 

— (ii.,/2,/12) with /j rl (l) = {report; | i G Ij} U update. These are admissible 
parallel actions in the corresponding systems, and fi\A 12 = f 2 \A 12 = f 12 - 
Then (A,/ 2 ,/i 2 ) G Pa(lnSys). 

Tuples (/1, /2, /12) which do not satisfy these conditions are not in Pa (InSys): 

— {fl, /2, /12) with /j rl (l) = {reporti | i G Ij} U update U {move^ | i G Zj} is not 
in Pa(lnSys), because the components are not admissible parallel actions. 
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- (A,/2,/i2) with f x = {reporti | i £ 7i}U update and / 2 ^1) = {move; | 
i £ h} is not in Pa(lnSys), because the components do not agree on A\2. 

Theorem 3 ([18j). The functors St and Pa are sheaves on InSys. For each 
S,;GlnSys, the stalk at Si of St (resp. Pa ) is in bijection with St(Si) (resp. 
Pa(Si)). Moreover, for each U £ f2(lnSys), St(U) (resp. Pa(U)) is in bijec- 
tion with St(Su) (resp. Pa{Sjj)), where Su is the colimit of the diagram defined 
byU. 

Example 9. Let InSys = {Si, Si 2 , S2} as defined in Example [7] (with k < I): 

(1) An example of an open cover for U = {Si, S 2 , Si 2 } is {U\, U2, U\ 2 }, where 
U x = {S U S 12 },U 2 = {S 2 ,S 12 },U 12 = {S 12 }. Let {s u s 12 ) £ Si(£/i) and 
{t 2 ,t 12 ) £ St(f7 2 ) be such that p^ 2 (s l5 si 2 ) = (i 2 , £12)- Then S12 = £i 2 
and there is a unique element (s\, i 2 , si 2 ) £ St(U) such that p^y (si,t 2 , si 2 ) = 
(si,s i2 ) and (si, t 2 , s i2 ) = (t 2 ,ti 2 ). Similar for Pa. 

(2) The stalk of St at Si is the colimit of the diagram St([/) S ^ ) St(C/i) St ^ ) St(J7i) 
and hence in bijection with St([/i). Similarly for Pa. 

(3) It can be seen that St(£/) is in bijection with St(S), where S is the system in 
the example in Section[T] Let (si, s 2 , si 2 ) G St([7). Then s : X — > M defined 
by s(x) — Si(x) iff x G X t is well defined (due to the definition of St(J7)) and 
in St(S). Conversely, if s G St(S), then (sx ± , sx 2 , s\x 12 ) G St(t/). 

Also Pa(U) is in bijection with Pa(S): If (/i,/ 2 , /12) G Pa(C7) then f : A —> 
{0, 1} defined by f(x) = fi{x) iff x G Ai is well defined (due to the definition 
of Pa(?7)). It can also be checked that if f\ |= C\ and / 2 \= C 2 then f \= C. 
Thus, / G Pa(S). The converse is immediate. 

Assume now that Si, S2, S12 are as in Example [S] but I < k, say I = k — 1. The 
open cover and stalk construction in (1) and (2) above are the same. However, 
St(C7) is in bijection with St(S), where S is the colimit of the diagram defined by 
U as described in Example [6] which in this case is different from S. In particular, 
s : X — > M with s(Trainlndexi) = 1, s(Trainlndex 2 ) = 2, . . . , s(Trainlndexfc-i) = 
k — 1 and s(Trainlndexfc) = k + 1, . . . , s(Trainlndex„_i) = n is a state of S, but 
not of S. 

6 Transitions 

Let InSys be a family of systems satisfying conditions (i), (ii), (iii) in Section 2J 
We define a functor modeling transitions: 

(Tr) Tr : f2(lnSys) op — » Set is defined as follows: 

Objects: Tr(U) = {(f,s,s') | / = (J^ev G Pa(C/),s = (si)s ieU G St(C7), 

*' = (sDs.ec/ G St(U), { Si , s'A G Tr Si (/i), for all Si £ U}; 
Morphisms: if {Ji C U 2 , Tr(t) : Tr(l/ 2 ) — > Tr(E/i) is defined by 

Tr( L )((f,s,s>)) = (Pa( t )(/),St(0(a),St(0(a')). 
where, for every Si in InSys and /j G Pa(Si), Trs^fi) is the transition 
relation associated to fi in Si as explained in Section 3. 
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Example 10. Consider the family {Si, Si 2 , S2} in Example[7l With the notation 
introduced in Example [3 let: 

— Sj(ActualPoSi) = <Zi, s^RepPosJ = fj, Sj(Modej) = rrii, for i € Ij\ 

— fj be such that fj(l) = {report; | i G Ij} U update, and 

— s'j be defined by: (Actual Pos^) = aj, s'-(RepPoSj) = a*, s'-(Modei) = m-, where 
m' i is computed according to the transition rules for update in Example [1] 

Then: f t G Pa(S 4 ), s h s' t G St(S t ), {s t ,s'A G Tr(S t ) for i G {1, 2, 12}, 
h\A 12 = h\A 12 = hi and s i\x 12 = s 2\x 12 = S 12- 

Hence, ((fi,s u s[), (/a, s 2 , s' 2 ), (f 12 , s 12 , si 2 )) is in Tr(lnSys). 

Theorem 4 ( [18j ) . TTie functor Tr : i7(lnSys) op — > Set is a subsheaf of Pa x 
St x St. Moreover: 

— For every Si G InSys, the stalk of Tr at Si is in bijection with Tr(Si) — 
{(f,s,s')\(s, S ')€Tr Si (f)}. 

— If the transitions obey either (Disjj or (Indepj, then, for every U G /?(lnSys), 
Tr({7) is in bijection with Tr(Su) = {(/, s, s') \ (s, s') G Trs u (f)}, where Sjj 
is the colimit of the diagram defined by U . 

Example 11. Consider the family {Si, Si 2, S 2 } in ExampleEl Consider the tran- 
sition ((fi,s 1 ,s' 1 ),(f 2 ,S2,s' 2 ),(fi2,s 12 ,s' 12 )) G Tr(U). Let / : A -> {0,1} be 
defined by f(x) = fi(x) iff x G Ai is well defined. Then / G Pa(S). Similarly, 
s,s' : X — > M, defined by (s(x) = Si(x) and s'(x) = s'^x)) iff a; G Xi are well 
defined and in St(S). 

As shown in Example[3l the transitions in all systems Si, S 2 , S12 obey condi- 
tion (Disj). The changes of the components of parallel actions are not contradic- 
tory and affect only the variables the actions depend upon. Thus, (s, s') is in the 
transition induced (according to rule (Disj)) by /. Hence, (s, s') G Trs(f). The 
converse is an immediate consequence of the fact that, as showed in Example O 
Si, S 2 , S12 are transition-connected subsystems of S. 

7 Behavior in time 

In [B], the behavior of a given system S in time is modeled by a functor F : 
T op — > Set, where T is the basis for the topology on N consisting of all the sets 
{0, 1, . . . , n}, n G N. Intuitively, for every T G T, F(T) represents the succession 
of the states of the systems "observed" during the interval of time T. We analyze 
various alternative possibilities of modeling behavior. 

7.1 Behavior as successions of states and actions 

Since we are interested in actions as well as states, we present a different descrip- 
tion of behavior. Let T consist of N together with all sets {0,1,..., n}, n G N. 



15 



The behavior in an interval T G T of a complex system obtained by intercon- 
necting a family InSys (satisfying conditions (i)-(iii) in Section 2J is modeled by 
all successions of pairs (state, action) of the component subsystems that can be 
observed during T, i.e. by the functor B*r : J?(lnSys) op — > Set defined as follows: 

Objects: for U G ft(lnSys), B T (U)={h:T^St(U)xPa(U)\K(h,T)}, 
Morphisms: for U\ C U 2 by B T (i):BT(U2)^B T (Ui) 1 where if /i G B T (/7 2 ), 
B T (i)(/i)=(St(t)xPa(i))°/i : T St(U 2 )xPa(U 2 ) St(t)xPa(t) ; St([/i)xPa(t/i). 

Here -fC(/i, T) expresses the fact that for every n, if n, n+1 G T and ft,(n) = (s, /), 
h(n + 1) = (s', /') then (/, s, s') G Tr(f7). 

Example 12. We illustrate the definition above. Let T = N, and let £/ = {5i, 52, 5i2} 
as in Example [71 We represent an element h in Bx(lnSys) as a table (first row: 
arguments i of h, second row: the value h(i), i.e. a pair of tuples): 





h(<) 




St(E7) 


Pa{U) 


i 


St(5i) 


St(S* 12 ) 


St(S 2 ) 


Pa (Si) 


Pa(5i 2 ) 


Pa (S 2 ) 




(i G /i) 


(' 


G Irz) 


(< G / a ) 


(i G Jx) 


(i 


G/12) 


( 


i€h) 




ActPoSj 


RepPos 4 


Mode, 


(restr.) 


ActPoSj 


RepPos t 


Mode, 


rep; 


upc 


movei 


(restr.) 


rep; 


upc 


movei 





a. 


r. 


nii 


a, 


r, 


rrii 


a* 




mi 


1 


1 





1 


1 





1 


1 





1 


a. 


a» 


m'i 




a» 


m'i 






m'i 








1 








1 








1 


2 


a- 


a; 


m 'i 


a, 


Cti 


m'i 


a- 




m'i 


1 


1 





1 


1 





1 


1 





3 


a- 


a- 


m 1 : 


a, 


/ 

a, 


m'i 


a- 


a i 


m'i 


1 


1 





1 


1 





1 


1 






Theorem 5 ([18]). Let B T (S) = {h : T -> St(S) x Pa(5) | K s (h,T)}, where 
Ks{h, T) expresses the fact that for every n, if n,n + 1 G T and h(n) = (s, /), 
h(n + l) = {s',f) then (s,s') G Tr s (f). Then: 

— For every T G T, B T : f?(lnSys)°P -» Set is a sheaf. 

— For every Si G InSys, the stalk at Si is in bijection with Bx(Si). 

— If the transitions obey (Disj) or (Indep), then, for every U G J?(lnSys), 
Bt(U) is in bijection with Bt{Sjj), where Sjj is the colimit of the diagram 
defined by U . 



7.2 Behavior: Admissible Parallel Actions as Words 

If we ignore the states, the behavior of any system 5 can be expressed by a 
subset Ls of the free monoid Pa(S)* over the set of possible actions of 5, where: 



Ls = {fi ■ ■ ■ fn I 3h:{0,...,n} -» St(S) x Pa(S), 3s> G St{S), s.t. 

Vi G {0, . . . ,n— 1}, ( Si , s i+1 ) G Trs(f t )} C Pa(S)* . 
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Consider the family {Pa(Si)* | Si £ InSys}. If Si,Sj £ InSys and Si <-» Sj, 
let p s 3 . : Pa(Sj) — > Pa(Si) be the restriction to 5,. The restriction extends 
to a homomorphism of monoids, pj : Pa(Sj)*—*Pa(Si)*. If there is no risk of 
confusion, in what follows we will abbreviate p\(wj) by vJji S .. Let M (InSys) be 
defined by: 

M(lnSys) = {(wi)s,einSys | Wi £ Pa(Si)* and VS; ^ Sj,p{('Wj) = Wi}. 

It can be seen that M(lnSys) is the limit of the diagram {Pa(Si)* | Si £ InSys} 
(with the morphisms p\ for every Si Sj). 

Theorem 6. Let M : J?(lnSys) op — > Sets &e defined as follows: 

Objects: M(U) = {(wi) Si ev \ WiEPa(Si)* ,w%\s j = w j f or every S 3 <-> 
Si}, 

Morphisms: if i : U% C J7 2) M(i) : M{U<i) — * M(U\) is defined for every 

(wi)s,eu 2 by M(L)((wi) Si &j 2 ) = (u>i)Si£Ui- 
Then M is a sheaf of monoids. M(V) is the limit of the diagram {Pa(Si)* \ Si E 
V} (with morphisms p l i : Pa(Sj)*—>-Pa(Si)* whenever Si Sj). 

Proof: Let {7 £ i?(lnSys) and {Uk \ k £ K} be a cover for U. Let {uifc}fc e _R- be 
a family of elements, such that for every k £ K, Wk — (u>j:,)s ie ;y fc and for every 
fci, fc 2 £ K, if 5j £ C/fcj n [7fe 2 then luj^ = w^. 

We define w = {wi)si£U as follows: for every Si £ £/, 5, £ U% for some 
fc. Then Wi is defined to be w\. Note that is well defined because of the 
compatibility of the family {wk}k£K, and py (w) — Wk for every fc £ K . The 
uniqueness of w follows from the fact that for every w' = (w'^s^u such that 
Pu k ( w ') = Wk f° r ever y k E K we have w[ — for every Si E Uk- 

The fact that M (V) is the limit of the diagram {Pa(Si)* \ Si E V} (with the 
corresponding morphisms) can be checked without difficulty. □ 

Remark: Let S be the colimit of the diagram defined by U. The connection 
between Pa(S)* and M(U) is rather loose: Let p : Pa(S)* -> M(U) be defined 
by p{fi ■ ■ ■ f n ) = ((/l • ■ • U)\Si)Si&J £ M{U). If we identify the empty action 
with the empty word e, p may not be injective as can be seen from the following 
example: 

Example 13. Let S\ and S2 be as defined in Example[7l where trains are indexed 
by I\ = {fci, . . . , n} and I2 — {1, . . . , fc 2 } and fc 2 < fci, with the difference that 
update is omitted as in Example 0J Let InSys = {5i,S 2 ,0}. Let W\ — /i/ 2 and 
w 2 = /2/1, where /f x (l) = {report^ \ i E h} and / 2 -1 (l) = {move.,- | j E h}- 
Note that f^l) = {report, | i E h}, / a j^ (l)=/ig, (1)=0, and / 2 ^(1) = 
{move.,- I j £ 7 2 }- Thus, 

P<>l) = ((/l/2)|Sx,(/l/2)|S 2 ,(/l/2)|0) = ((/l|Ai/2|A 1 M/lpl 2 /2| J l 2 )>e) 

= (/ie,e/ 2 ,e) = (e/i,/ 2 e,e) = ((/ 2 |A! /i^J, (/2|a 2 /i|a 2 )i e ) = ^(^2), 
but toi ^ io 2 . 
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The next example shows that p : Pa(S)* — > M(U) is not necessarily onto: 
There may exist compatible families (even if we only consider singleton parallel 
actions) of sequences of actions that cannot be "glued together" to a sequence 
of actions on Pa(S). A similar result appears in [13) (in that case, no parallelism 
is allowed). 

Example 14- Let S\,S 2 ,S3 be three systems all having the same language, the 
same constraints on variables and the same model for the variables, such that 
A Sl = {a, b, d}, A 32 ={b, c, e}, A Ss = {a, c, /} 
C Sl = {a A b = 0} C S2 = {b A c = 0} C<? 3 ={«Ac = 0} 
Let S be the system obtained by interconnecting the systems Si, 82,83. Then 
As = {a, b, c, d, e, /}, Cs = {a A b — 0, b A c = 0, a A c = 0}. Consider 101 — 
ab G Pa(Si)*, w 2 = be e Pa(S 2 )*, w 3 = ca G Pa(S 3 )* . It is easy to see that 
Pi 2 (wi) = Pi 2 (w 2 ) = 6, ^23(^2) = ^23(^3) = c, Pi 3 (wi) = Pi 3 (w 3 ) = a, but 
there is no w 6 Pa(S)* such that ioig i = tWj, i = 1, 2, 3. 

We investigate therefore other ways of modelling behavior for which tighter links 
between local and global behavior exist. 

7.3 Behavior: Partially Commutative Monoids 

In what follows we assume that the constraints on actions are all of the form 
a, A a,j = (they state which actions cannot be performed in parallel) . 

Definition 8. Let S be a system with the property that the constraints on actions 
are all of the form aiAaj — 0. The dependence graph of S is the graph (As,Ds) 
having as set of vertices As, and where Ds is defined by (a\, a 2 ) € Dg if ax = a 2 
or a\ A a 2 = G Cg. 

For every system S with dependence graph (As, Ds) we denote by M(S) = 
M(As, Ds) the free partially commutative monoid defined by (As,Ds), i.e. the 
quotient of A s by the congruence relation generated by a\a 2 = a 2 a\ for every 
(01,02) G (As x As)\Ds- For basic properties of (free) partially commutative 
monoids we refer e.g. to |3], pp. 9-29 and 67-79. 

For every Si G lnSys\0, let M(Si) = A* s ./6i (where di is the congruence defined 
as explained above from (As { x AgjyiJsJ be the partially commutative monoid 
associated with the dependence graph of Si. Let S be the colimit of the diagram 

defined by InSys. Then A s = U^einSys 7 ^ and D s = Us ie inSys D i- Hencc > for 
every Si G InSys there is a canonical projection pi : M(S) — * M(Si) which is 
onto. Let ker(pi) be the kernel of p { . Then M(S;) ~ M(S)/ker(pi). 

If S; Sj, then we denote the canonical projection by p\ : M(Sj) — * M(Si), and 
if Si, Sj G S, then p j l] : M(Sj) -> M(S l n Sj), and pi. : M(S l ) -> M(S l n Sj) are 
the canonical mappings. Note that all homomorphisms : M(Si) — > M(Sj) and 
: M(Si) -> M(Si n Sj) are onto. We know that for all Sj ^ S 4 , p) o Pl = Pj . 
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Example 15. Consider a family of two systems of trains Si, S2 over disjoint sets 
of trains as in Example [7] but with I < k. We simplify the description by 
replacing all actions that need to be executed at the same time with one action. 
The system Si (i £ {1, 2}) obtained this way has two actions update^ and move.; 
The constraints are Cj = {update^ A move^ = 0}. Thus 9i = id, so M(Sj) = A s .. 
Let S be the system obtained by the interconnection of Si and S2. 

As — {update l7 update 2 , mover, move2} and C5 = C\ U C2. 

Ds = {(update^ update^, (update 2 , update 2 ), (move2, move2), (mover, movei), 
(update!, movei), (movei, update^, (update 2 , move2), (move2, update 2 )} 

(As x As)\Ds = {(update x , update 2 ), (update 2 , update^, (update l7 move 2 ), 
(move2, update^, (movei, update 2 ), (update 2 , movei), 
(movei, move2), (move2, movei)} 

Thus, M(S) — A* s /9, where 9 is the congruence generated by (As x As)\Ds- 

Applying a method due to [2] (cf. Appendix [AJ - where sheaves of algebras are 
constructed, whose stalks are quotients of a given algebra - we deduce for par- 
tially commutative monoids results similar to those given in |13j for monoids. The 
results are similar to results on Petri Nets and Mazurkiewicz traces presented in 
0. 

Let (F,/, InSys) be defined by F = II s . e i nSys M(Si), and / : F -> InSys be 
the natural projection. Assume that a subbasis for the topology on F is SB = 
{[m](U) I U £ l2(lnSys),m e M(S)}, where [m](U) = {p l (m) \i£U}. 

We first show that /2(lnSys) has the property that for every mi, m-i £ M(S), if 
Vi( m \) = Pi( m 2) then there exists an open neighborhood U of Si in Q(lnSys) 
such that for every Sj £ U, pj(mt) = Pj(m2) (i.e. it is an S-topology). 

Lemma 1. !7(lnSys) is a S-topology (cf. Definition\10\). 

Proof: We show that for every mi,mj £ M(S), if Pi(mi) — Pi(m<2) then there 
exists an open neighborhood U of Si in Sl(lnSys) s.t. for every Sj £ U, pj(mt) = 
Pj( m 2)- Let mi,m2 £ M(S) withpj(mi) =pi(m2). Let U = [Si = {Sj £ InSys 
Sj Si}. U £ J?(lnSys) and Pj(mt) = p)(pi(mt)) = p l j (p i (m 2 )) = Pj(m 2 ) for 
every Sj £U. □ 

Let a : M(S) — > 7^(1, Fa) be defined by a(m) = ([m]gj ie /. Since J?(lnSys) is an 
S-topology, by Theorem [T2l and Corollary [2] in Appendix |A1 we have: 

(1) (F, f, InSys) is a sheaf of algebras, 

(2) The stalk at Sj £ InSys is isomorphic to M(Si), 

(3) In M(S) ^ r(lnSys,F) < EUemsys ^ ^($) 
(3.i) 7Tj o a is an epimorphism, 

(3.ii) M(S) is a subdirect product of {M(Si)}sie\nSys iff a is a monomor- 
phism. 
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Lemma 2. Let s : InSys — > IJs einSys ^(^) ^ e suc ^ that s{Si) £ M(Si) for 
every Si £ InSys. Lei m £ MIS') and U £ J?(lnSys). TAen S, £ s _1 ([m](t/)) i/ 
and on/y if Si £ f and s(Si) = pi(m). 

Proof: Note that S - 1 ([m](f7)) = {S t £ InSys | 5(6*,) £ [m](C7)} = {S l £ InSys 
s(5j) £ {pj(m) I Sj £ f/}}. We first prove the direct implication. Assume that 
Si £ s~ 1 ([m](t/)). Then s(S») = Pj(m) for some Sj £ f7. Since / o s(Si) = S { , it 
follows that Si — f(s(Si)) = f(pj(m)) = Sj, hence Si £ U and s(Si) — Pi{m). 
To prove the converse, assume that Sj £ U and s(Sj) = Pi(m). Then s(Si) £ 
{Pj{m) I Sj £ [/*}, hence S % £ s- x ([m] (£/)). □ 

Lemma 3. Let r oe the topology on F — Yls einSys M(Sj) generated by SB = 
{[m](U) I £/ £ ]7(lnSys), ?7i £ M(S)} as a subbasis. Then any map 

s : InSys -> |_J M(S;) 

Si 6 InSys 

such that for every Si £ InSys, s(Si) £ M(Si) is continuous if and only if for 
every S,,Sj £ InSys smc/i that Sj Si, p'j(s(Si)) — s(Sj). 

Proof: Since SB is a subbasis for the topology on F — IIs. G | nSys M(Si), a map 

s : InSys • ]_[ M(S l ) 

SiGlnSys 

is continuous iff for every \m](U) £ SB, s~ 1 ([m](U)) £ J?(lnSys). We first prove 
the direct implication. Assume that s : InSys — > ]J g 6 | n s ys M(Si) is continuous. 
Let Sj, Sj £ InSys be such that Sj Sj. We prove that p* (s(Sj)) = s(Sj). 
Let {/ = |Sj £ J?(lnSys) and let m £ M(S) be such that Pi{m) — s(Sj) 
(the existence of m is ensured by the fact that pi : M(S) — > M(Si) is onto). 
From the continuity of s we know that s _1 ([77j](jSi)) £ J?(lnSys). Obviously, 
S 4 £ s _1 ([TO](|Si)). Therefore, since Sj S 4 , Sj £ s _1 ([m](,|.Si)), hence, by 
Lemma[5J s(Sj) —pj(m). Therefore, s(Sj) —pj(m) = Pj(pi(m)) = p*(s(Si)). 

Conversely, assume that for every Si,Sj £ InSys such that Sj Si it holds 
that p l j(s(Si)) = s(Sj). We prove that s is continuous. Let [m](U) £ SB, where 
rn £ M(S) and U £ ft(lnSys). We prove that s _1 ([m](£/~)) £ ^(InSys). Let 
Si £ s- 1 ([m](t/)). Then S t £ f7 and s(S. ( ) = p;(m). Let Sj S;. Then Sj £ [/* 
and by the hypothesis, s(Sj) — Pj(s(Si)) — p){pi{m)) — Pj(m). Thus, Sj £ 
s" 1 (H(J7)). Therefore s- 1 ([m]([/)) £ fl(lnSys). □ 

Lemma 4. TTie set _T(lnSys, F) of global sections of F has the form 

/"(InSys, F) = {(m*)s <€ i„Sys I m £ M(S;) andVSj ^> Si £ InSys, p}(m») = mj}. 

Proof: We know that _T(lnSys,F) = {s : InSys — > Ug.ginSys M(Sj) \ s continu- 
ous and s(Si) £ M(Si),VSi £ InSys}. (The elements of _T(lnSys,F) are tuples 
( s (Si))s i ginSys-) Let first s £ /"(InSys, F). Then s is continuous and, by LemmaO 
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for all Si, Sj G InSys with Sj Si, p' t j(s(Si)) = s(Sj). Conversely, let (?7ii)s i ginSys 
be such that for every Si, Sj G InSys, to, G M (Sj) if Sj Sj then p*(mj) — nij. 
Let s : InSys — > IIs. e i n s ys M(Si) be defined by s(Sj) = mj for every Si G InSys. 
Then, whenever Sj S, G InSys, p*-(s(5»)) = s(Sj) and, by Lemma 02 s is 
continuous. □ 



Theorem 7. Let (F,/, InSys) 6e defined as above. Then (F,/, InSys) is a s/iea/ 
space of algebras. The stalk at Si G InSys is isomorphic to M(Sj); the set of 
global sections is 

r(lnSys, F) = {(mj)s ie i n s y s | rm G M(Sj), andVSi <^-> Sj,p\{m,j) = mj}. 
Additionally the following hold: 

(1) If InSys is finite, then 

(i) M{S) ^ T(lnSys,F) < EUeinSys ^ Af(&) is a subdirect product. 

(ii) The embedding M(S) =— > _T(lnSys, i* 1 ) is an isomorphism iff every chord- 
less cycle in the dependence graph Gs of S is a cycle in a subgraph Gs ; 
for some Si G InSys. 

(2) If InSys is infinite, and if for every a G As there are at most finitely many 
Si G InSys with a G A4, then there is an injective morphism M(S) — > 
0<j.M(Si), where S . M(S;) = {(wj)j e j | w 2 G Af(S 2 ),^ = s a.e.} is 
the weak product of the family {M(Sj)} g . e | n Sys- 



Proof: The form of I n (lnSys, F) follows from Lemma 21 (l)(i) and (2) are a 
consequence of Theorem [14] and the subsequent comments in Appendix[B] (1) (ii) 
is a direct consequence of Theorem 3.3.2 in [3J. □ 

Example 16. First consider the family of systems in Example 1151 The depen- 
dency graph of S, Gs — (As,Ds) contains the following non-trivial chordless 
cycles: 

1. (update-^ movei, update^ and (movei, update-^ movei) (all cycles in Gs ± ) 

2. (update 2 , move2, update 2 ) and (move2, update 2 , move2) (all cycles in Gg 2 ). 

Thus, in this case the embedding in Theorem [7^1) (ii) is an isomorphism. 
Example 17. Consider the systems in Example 1141 The dependency graphs are: 

- G Sl = {A x , Dx), with Di = {{a, a), {b, b), (d, d), (a, b), {b, a)}, 

- G S2 = (A 2 ,D 2 ), with D 2 = {(b, b), (c, c), (e, e), (b, c), (c, &)}, 

- G S3 = (A 3 ,D 3 ), with D 3 = {(a, a), (c, c), (/, /), (a, c), (c, a)}). 

Gs — (Ai U A2 U A3, D\ U D2 U D 3 ) contains the chordless cycle (a, b, c, a) which 
is not contained in any of the subgraphs Gs t ,i G {1,2,3}. Thus, the embedding 
in Theorem[7]Jl)(ii) is not an isomorphism. 
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8 Other concepts and their sheaf semantics 

Time. One possibility for expressing time internally in the category Sh(lnSys) is 
to model time by the sheafification N of the constant presheaf TV : J?(lnSys) op — > 
Set (defined for every U by N(U) = N), which can be constructed as follows: 

- Let7V+ : f2(lnSys)°P -> Sets, defined by Af+(U) = N if U + and 7V+(0) = 1 
(for the empty cover there is exactly one matching family; the empty one). 

- Let N = (W + ) + : J2(lnSys) op ->• Sets. An element of (Af+)+(U) is an equiva- 
lence class of sets of elements ij € N{Uj) for some open covering {Uj \ j € J} 
of U, which match = ij 2 ) whenever the overlap Uj 1 n Uj 2 is nonempty. 
Thus, these elements "glue" together to give a function i : U —* N, with the 
property that every point of U has some open neighborhood on which the 
function is constant. 

For every U £ i?(lnSys), N(U) = {i : U -»■ N | / locally constant}. There 

s 

exist Sh(lnSys)-arrows 1 — » N — > N; the sheaf N is the natural number object in 
Sh(lnSys). 

Other constructions. Various other sheaves and natural transformations can 
be defined by using standard categorical constructions in Sh(lnSys). We can e.g. 
define a natural transformation Br x N A St x Pa whose components Bn(J7) x 
N(U) ^ St([/) x Pa(C0 are defined by 3u (h, K)s iS C/) = ((s\)s t eu, (fDs.cu), 
for every U € i?(lnSys), where for every Si £ U, h(rii) = ((s*-) Sje a, (fj)s s eu)-U 

Theorem 8 ([18j). For every Si G InSys, Stalky (a) is (up to isomorphism) the 
map Bx(Si) x N — > St(Si) x Pa(Si), defined by as t (h,n) = h(n). 



9 Geometric logic and properties of systems 

We provide interpretations for properties of systems (i.e. statements about states, 
actions, behavior) both concretely (in the category of sets) and in a category 
of sheaves, and establish links between the set-theoretical (both for individual 
systems and for their interconnections) and the sheaf-theoretical interpretation. 
These links are then used to prove preservation of truth when interconnecting 
systems. 

2 f;U—>X is locally constant if Vx£U there is an open neighborhood UiCXJ of x on 
which / is constant. This means that 'local clocks' of the systems in U synchronize 
for systems sharing common subsystems. 

3 The map at/ has as arguments a behaviour along N of the family of systems in U, h £ 
Bn(U), and a tuple consisting of 'local clocks' of the systems in U which synchronize 
on systems sharing common subsystems, ajj returns the pair ((sDs^ec/, {fi)sieu) 
where (s},fl) is the pair state/parallel action in the behavior corresponding to the 
system Si in U, at the time point indicated by the local clock m of Si. 
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9.1 Many-sorted first order languages and their interpretation in 
Sh(J) 

Let £ be a many-sorted first-order language consisting of a collection of sorts 
and collections of function and relation symbols. Terms and atomic formulae 
from C are denned in the standard way; compound formulae are constructed by 
using the connectives V,A,=£>,-i and the quantifiers 3,V, for every sort X. An 
interpretation M of C in Sh(7) is constructed by associating: 

— a sheaf X M on / to every sort X, 

— a subsheaf R M C X^ 1 x • • • x X^f to every relation symbol R of arity 

X\ X • • • X X n , 

— an arrow f M : Xf 1 x • • • x X^ 1 — ► Y M in Sh(I) to every function symbol / 
with arity Xi x • • • x X„ — > Y. 

Each term i(xi, . . . , x„) of sort Y is (inductively) interpreted as an arrow t M : 
Xf 1 x ■ ■ • x — > Y M ; and every formula <f>{xi, ... , x n ) with free variables 
FV{4>) C {xi, . . . , x„}, where ccj is of sort Xi, gives rise to a subsheaf {(xi, . . . , i„) 
0(xi, . . . , x„)} M C A/ 11 x---xl^.For details we refer to p a , Ch. X. 

Definition 9. A geometric formula is a formula built from atomic formulae by 
using only the connectives V and A and the quantifier 3. A geometric axiom 
is a formula of the form (Vxi, . . . ,x n )(<p => ip) where <p an d "0 are geometric 
formulae. 

Let T be a theory in the language C A variable in a geometric formula is 
called T-provably unique if its value in every model of T is uniquely determined 
by the values of the remaining free variables. 

A cartesian formula w.r.t. T is a formula constructed from atomic formulae 
using only the connective A and the quantifier 3 over T-provably unique variables. 
A cartesian axiom w.r.t. T is a formula of the form (\/x)((f>(x) => t/}(x)) where 
<f> and ip are cartesian formulae w.r.t. T. A cartesian theory is a theory whose 
axioms can be ordered such that each is cartesian w.r.t. the preceding ones. 

A geometric axiom (Vxi . . . x n )(<p=>tp) is satisfied in an interpretation M in Sh(7) 
if {(xi, . . . , x n )\cf)} is a subobject of {(xi, . . . , x n )|V>} in Sh(J). 

9.2 Stalk functors, global section functors; preservation of truth 

Stalk functors. For every Si G InSys let fi : {*} — > InSys be defined by /;(*) = 
Si. The inverse image functor corresponding to /j, the stalk functor Stalks ; = 
/* : Sh(lnSys) — » Set, associates to every sheaf F G Sh(lnSys) the stalk at Si, 
Fsf For all Si G InSys, /* preserves the validity of geometric axioms. The stalk 
functors /* are collectively faithful, so they reflect the validity of geometric 
axioms. 

Global section functor. Consider the unique map g : InSys — > {*}. The direct 
image functor, g» : Sh(lnSys) — > Set, is the global section functor g*(F) = 
^(InSys) for every F G Sh(lnSys). Thus, the global section functor preserves the 
interpretation of every cartesian axiom. 
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9.3 A geometric logic for reasoning about complex systems 

Let C be a fixed many-sorted language including at least sorts like st(ate), 
pa (rallel- action), b(ehavior), t(ime); constants like so : st (initial state), : t 
(initial moment of time); function symbols like 

— appi : b x t — > st x pa, 

— pi : st x pa — > st, 

— p2 : st x pa — > pa; 

relation symbols like 

— tr(ansition) C pa x st x st, 

— =jC X x X for every sort X, etc. 

Let M be an interpretation of £ in Sh(lnSys) such that 

— st M = St, pa M = Pa, b M = B N , t = N, appl M = a, 

— pi M = 7Ti, P2 M = 7T2 (the canonical projections), 

— tr M = Tr. 

For every sort X, we interpret =x'- Ixl^fias usual. 

Theorem 9 ([18j). Sh(lnSys) satisfies a geometric axiom in the interpretation 
M if and only if Set satisfies it in all interpretations f*{M). If Sh(lnSys) 
satisfies a cartesian axiom, this is also true in Set in the interpretation g*(M) 
(f*(M) and g*(M) interpret a sort X as f*(X M ) resp. g*{X M )). 

From Theorems 2] and [5] we know that for every Si G InSys, 

/*(St) = St Si * St(Si) and /*(Pa) = Pa Si ~ Pa(Si); 

if S is the system obtained by interconnecting all elements in InSys, 

5* (St) = St(lnSys) ~ St(S) and 3 „(Pa) = Pa(lnSys) ~ Pa(S). 

The same holds for Tr and B T . Moreover, /*(N) = N, g*(N) = N( InSys), and, by 
Theorem [H 

/*(appl) = a Sl : B N (S t ) x N -» St(S() x Pa(S t ). 

Hence, statements about states, actions and transitions in Sh(lnSys) are trans- 
lated by /* (resp. <?*) to corresponding statements about states, actions and 
transitions in Si (resp. S). 

We illustrate the ideas above by several classes of properties of systems (adapted 
from [TTJ) which we express in the language C. For instance, if h is a possible 
behavior and j a moment in time, then h(J) can be expressed in C by app\(h,j); 
the state of h at j can be expressed by s(h,j), where 

i i a pp' pi 
s = pi o appi : b x t — ► st x pa — ► st. 
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(a) Safety properties are of the form 

(Vh:b)(Vj:t)(P(s(h,0))^Q(s(h,j))), 

where P and Q are formulae in C. As examples we mention: 
(i) Partial correctness: 

(Vh : b)(Vj : t)[(P(s(ft,0)) A Fina[(s(/i, j))) Q(s(h,j))}; 

(ii) Global invariance of Q: 

(Vh:b)(\/j:t)[P(s(h,0))^Q(s(h,j))]. 

(b) Liveness properties have the form 

(Vh:b)[P(s(h,0))^(3j;t)Q(s(h,j))]. 

With so denoting the initial and s/ a final state, examples are: 
(i) Total correctness and termination: 

(Vft : b)[P(s(M)) => (3j : t)(Final(s(fc, j)) A Q(s(h,j)))}; 
(ii) Accessibility: 

(Vh : b)[(s(M) = s ) => (3j : t)(s(^j) = s/)]. 

(c) Precedence properties: 

(V/i : b)(Vj : t)[(P(s(h,Q))AA(s(h,j)))=>Q(s(h,j))]. 
Theorem 10 ( |18j ). Assume that the following conditions are fulfilled: 

(1) The final states form a subsheaf St f C St interpreting a sort stf of C. (This 
happens e.g. if in the definition of a system final states are specified by ad- 
ditional constraints, and in defining colimits this information is also used.) 

(2) The properties P,Q,A can be expressed in C (using the sorts, constants, 
function and relation symbols mentioned at the beginning of Section^, and 
can be interpreted in Sh(lnSys) and also in Set (to express, for every Si in 
InSys, the corresponding property of Si, or S). 

The truth of formulae describing safety, liveness and precedence properties (as in 
(a),(b),(c) above) is preserved under inverse image functors if in the definitions 
of the property P (c.q. Q,A) only conjunction, disjunction and existential quan- 
tification occur. The truth of these formulae is additionally preserved by direct 
image functors if only conjunction and unique existential quantification occur in 
them. 
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9.4 Example 1: Safety of train system controlled by radio controller 

Consider the example in Section[7l Let k < I G {1, . . . , n}, I\ = {k, . . . , n}, I2 = 
{1, . . . , /}, and I12 — {k, . . . , I}. Let InSys = {Si, S2, S'12} be the family consisting 
of the subsystems of S described in Section [T] corresponding to the sets of trains 
with indices in I\, I2 and Ii2- Let J^, j G {1, 2, 12} be the following constraints 
encoding collision freeness of Sj (where => denotes logical implication) : 

= {succ(TrainlndeXi) = Trainlndexfc => ActualPos;<ActualPoSfc — L i,k G Ij}. 

For every Sj G {1, 2, 12} let SafeSt(5,-) = {s : Xj -> Mj \ s \= U r|'} be the 
set of safe states of SjQ. Let 

SafeState : J?(lnSys) — ► Sets 

be defined: 

— on objects: by SafeState({7) = {(sj)s j eu \ Sj G SafeSt(5,-), and Sj, x . = 
Si whenever 5^ °-> Sj}, and 

— on morphisms: by restriction. 

We can define a set of similar constraints r s and a similar set of safe states 
SafeSt(S') for the system S, where: 

r , s ={succ(TrainlndeXi)=TrainlndeXfe ActualPos;<ActLialPoSfc — L 1 < i,k < n). 

if h n h ^ then r} u = rJS Analogously to Theorem [4] we can show: 
Theorem 11. The following hold: 

1. SafeState is a sheaf. Moreover, SafeState is a sub sheaf of St. 

2. For each S^GlnSys, the stalk of SafeState at Si is in bisection with SafeSt(Si). 

3. SafeState(lnSys) is in bijection with SafeSt(S'). 

Collision freeness can be expressed as follows: 

CollFree (V7i : b)(Vj : t) [SafeState(s(/i, 0)) SafeState(s(/i, j))] . 

This formula contains only atomic formulae and the implication symbol. There- 
fore, by Theorem 1 101 its truth is preserved both under inverse image functors 
and under direct image functors, and it is reflected by the stalk functors: 

— Assume that Si, S2, S12 satisfy CollFree. Then for all h G B^(Sj), t G N, if 
7Ti(7i(0)) G SafeSt(Sj) then wi(h(t)) G SafeStfSj). Due to the form of the for- 
mula CollFree, its truth is reflected by the stalk functors /* : Sh(lnSys) — > Set. 
It therefore follows that Sh(lnSys) satisfies, internally, the formula CollFree. 

4 We denote by Fj the restriction of r (cf. Definition [TJ) to Xj 

5 Note that if Ii fl 1% = then some of the constraints of T a cannot be deduced from 
r} and if 
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— The truth of Col I Free is preserved by the global section functor : Sh(lnSys) - 
Set, defined by g(F) = .F(lnSys). Therefore, (in Set) the following holds: 

Wi G B N (lnSys),Vt G N(lnSys) [tti(/i(0)) G SafeState(lnSys) 

=>■ m(h(t)) G SafeState(lnSys)] 

As, by Theorems [Til and l5| SafeState(lnSys) is in bijective correspondence with 
SafeSt(5) and Bp^lnSys) is in bijective correspondence with B^(S), we obtain: 

Vh G B N [S), Vt G N, if tti(/i(0)) G SafeSt(S) then m{h{t)) G SafeSt(S). 

Corollary 1. Consider a family of consecutive trains on a linear track without 
loops. Assume that each train i controls both its position and the position of its 
predecessor, and accordingly determines its movement mode. We obtain a family 
{Si | i G {2, . . . , n}} of systems consisting of two successor trains each ( each de- 
fined as in Example[l\for n — 2). Let U consist of this family of systems together 
with their intersections. The colimit of this family is the system S described in 
Example fJJ By Theorem \1(A if collision freeness can be guaranteed for all the 
systems in U , then the system S is collision free. 

For suitably chosen minSpeed, maxSpeed and update interval At all 2-train sys- 
tems are collision free (for an automatic proof ideas from [8] can be used). There- 
fore, the n-train system in Example[T]can be proved to be collision free for these 
values. 

Remark: The condition that the systems consist of successive trains and overlap 
over one extremity is needed for recovering the successor constraints on trains 
for the colimit. We obtain similar links between global and local properties also 
with a cover consisting of one-train systems. However, then the colimit of the 
system defined by such a cover is different of the system S; we would obtain a 
link between the safety of the systems consisting of one train only and the safety 
of a system in which all trains are on independent tracks. 

9.5 Example 2: Lifeness 

We adapt the example in the previous section and give an example of lifeness 
property which can be expressed by means of a cartesian theory, and thus can 
be checked modularly. Assume that the constraints T'- on for system Sj consist 
of Tj (defined as T^ in Example [5|) and the constraint (Aiez Mode^ = 0) V 
(Ilie/ Mode^ > 0). As in Theorem [TT] we can prove that this defines a subsheaf 
St'j of St; the following constraints define subsheaves of St' with properties similar 
to those of SafeState: 

- Ti u = rj U ri U {Mode, = | i G Ij} defines a sheaf SafeStateUpdate; 

- i~Q, nMove = Tj U {Modei >Q\ieIj} defines a sheaf CanMove; 

— ^CannotMove = u {Mode.; = | i G Ij } defines a sheaf CannotMove. 
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For St S InSyslet Minimal^) = {(h,j) \ s(h,j) e CanMove(Si) and Vk(s(h,k) e 
CanMove(5i) — > fc > j)}, characterizing the minimal moment in time j w.r.t. 
a behavior /i at which all trains in system Si can move. These definitions can 
be used to define a subsheaf MinimalCanMove C Bpj x N with properties similar 
to those of St, Pa,Tr, B. A form of lifeness can be expressed by the following 
cartesian axioms: 

V7i : b (SafeStateUpdate(s(/i, 0)) -> 3j : t MinimalCanMove(/i, j)) 
V7i : b,Vi : t (MinimalCanMove(/i, i) -> CanMove(s(/i, i))) 
V7i : b, Vi, fc : t (MinimalCanMove(/i, j) A CanMove(s(/i, fe)) -► i < k) 

(where the existential quantified variable in the first axiom is provably unique 
modulo the second and third axiom), and can thus be checked modularly. 

10 Conclusion 

We showed that a family InSys of interacting systems closed under pullbacks 
can be endowed with a topology which models the way these systems interact. 
States, parallel actions, transitions, and behavior can be described as sheaves on 
this topological space. We then used geometric logic to determine which kind of 
properties of systems in InSys are preserved when interconnecting these systems. 
The main advantage of our approach is that it enables us to verify properties of 
complex systems in a modular way. We illustrated the ideas by means of a run- 
ning example, involving systems of trains controlled by interacting controllers. In 
future work we plan to look at other applications, including geographically dis- 
tributed systems, controlled by geographically fixed controllers, whose domains 
overlap. 

We think that there should exist relationships between the approach described 
in this paper and other new approaches to the study of concurrency such as, 
for instance, higher dimensional automata (cf. |14ll5j ) or approaches based on 
methods from geometry and algebraic topologicy in particular homotopic meth- 
ods (cf. [7]). Links between algebraic topology and concurrency as well as links 
with higher dimensional automata between have been studied e.g. by Gaucher, 
Goubault, Fajstrup, and Raussen (cf. e.g. |5|4j ). We would like to compare our 
approach with the methods mentioned above. Using homological and especially 
homotopic methods seems to be the next natural step after the sheaf semantics 
given in this paper. 
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A Appendix. Sheaves of algebras 

Let A be an algebra of similarity type S, (Oiji^i a family of congruences on A, 
and r a topology on 7. The following problem was addressed and solved in [2]: 
In which situation does a sheaf exist with fibers A; = A/9i such that for every 
a G A the map [a] : I — > Yiiei Ai is a global section? Two constructions are 
possible: 

Construction 1 Let (Fa, f, I) be defined by Fa = LL e / A/^i, and f : Fa —> I 
be the natural projection. Assume that a subbasis for the topology on Fa is 
{[a] (17) |f/6r,aeA}, where [a] (17) = {[o](i) | * G 17} = {[«k I * G 

Construction 2 Let Ga '■ t — > EAlg be defined on objects by G^f/) = A/0jj, 
where 6>[/ = /\ ieU 0i and on morphisms, for every V C U by the canonical 
morphism Ga(U) = A/Qu — > A/fly = GU(V), a e[/ h-» ag v . 
Let Gi = }*Ei. v Ga(U) be the stalks of Ga, and for every i e 7 let gi : G^ — > 
be the unique morphism that arises from the universality property of the 
colimit. Note that gi(pf(a)) = ag i for every U G r and every i e 7. Ga is a 
presheaf of algebras. Let (SGA,g,I) be the associated sheaf. 

In Construction 1, the stalk at i is isomorphic to A i: but (Fa, f, 7) might be not 
a sheaf space. In Construction 2, (SGa, 9, 7) is a sheaf space, but gi : Gi — > A; 
may not be an isomorphism. 

Theorem 12 (|2j). The following conditions are equivalent: 

(1) If [a]g i = [b]g i then there is an open neighborhood U of i such that for every 
j G U, [a] 9j = [b] 0j . 

(2) (Fa, f, 7) is a sheaf of algebras. 

(3) For every i G 7 , : Gi — » A, is an isomorphism. 

Definition 10. 7/ (9i)i£i is a family of congruences on an algebra A, then any 
topology on I that satisfies (1) is called an S-topology. 

Corollary 2 (|2j). Assume that the topology on I is an S-topology with respect 
to the family of congruences (6i)i£i- Then (Fa,/,!) om-d (SGa, g, 7) are isomor- 
phic sheaves of algebras for which 

(1) The stalk at i is isomorphic to Ai — A/di, 

(2) The map a : A — ► F(I,Fa) defined by a(a) = ([aje^iei is a homomorphism, 

(3) lnA% r(I, F A ) < l\ ieI A/6, 3 A/9 t : 

(i) pi o a is an epimorphism, and 

(ii) A is a subdirect product of the family (A/9i) ie j iff /\ i6J 0j = Aa 
(i.e. iff a is a monomorphism) . 

The coarsest S-topology on 7 can be constructed as follows: 
Lemma 5 ([2], [10]). Let A Uiel A i ^ A i be 

a subdirect product. The 

coarsest S-topology on I is generated by the sets E(a 1 b)—{i£l \ Pi(a)=Pi(b)} as 
a subbasis. 
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Lemma 6 ([TU]). Let A <-> H ieI Ai A A t be a subdirect product and t\,t% be 
two topologies on I. If T\ C T2 and t\ contains the equalizer topology induced by A 
(generated by the sets E(a 7 b) as a subbasis), then T(Fa, (Fti)) C F{Fa, (/, T2)). 

Even if the topology on / is an S-topology, A is not necessarily isomorphic to the 
algebra r(I, Fa)- A necessary and sufficient condition for A to be isomorphic to 
an algebra of global sections of a sheaf with fibers Ai = A/6i, for i £ / is given 
below: 

Definition 11. A family (ci)i e j of elements of A is said to be global with respect 
to (9i)i£i if for every i £ I there exist a\, . . . , a l n , b\, . . . , b l n € A such that: 

(i) {a), b)) £ 6i for every j = 1, . . . , n, 

(ii) If (a^b'j) £ 9 k for every j = 1, . . . ,n then (c k , Cj) € k . 

Theorem 13 Q2J). Let {9i)i^i be a family of congruences on an algebra A such 
that A is a subdirect product of (A/8i)i e j. Endow I with its coarsest S-topology. 
Then a : A — > -T(I, Fa) is an isomorphism iff for every family of elements (ci)ig/ 
global with respect to (^j)ie/, there is a c E A with (c, Cj) E 9i for every i E /. 

B Appendix. Partially commutative monoids 

If G = (A, £>) is a dependency graph, we denote by M(G) the quotient A*/9, 
where 9 is the congruence generated by {(0102,0201) | (01,02) ^ -D} (a free 
partially commutative monoid). 

Theorem 14 (Corollary 1.4.5 in |3j). Let G be an undirected graph and 
{Gj I j E J} be a finite family of subgraphs of G. For j £ J let nj : M(G) — * 
M(Gj) be the canonical projection and ir : M(G) — > Y\.jeJ M(Gj) be the ho- 
momorphism into the direct product defined by ir(t) = {^j{t))jeJ ■ Then ir is 
injective iff G=\J jeJ Gj. 

If {Mj I j £ J} is a family of non-trivial free partially commutative monoids 
then Yijej Mj is free partially commutative iff J is finite [3j. If {Gj \ j E J} is 
not finite, then - assuming that for every vertex x of G there are finitely many 
j £ J such that a; is a vertex of Gj - there is an injective morphism M(G) 
© je jM(G 3 ), where jeJ M(G 3 ) = {(rrij) je j | m 3 £ M(Gj) for all j £ J, m, = 
e a.eEl} [3], p.27. 



a.e. means almost everywhere 



